Security Certification Maintenance

Jake Nelson — Wed, 07 Dec 2016 20:16:07 +0000

As you release new versions of previously certified and validated products, it is crucial that you develop a security certification maintenance plan to keep up with the evolution of your technology. Corsec’s Maintenance and Compliance Service helps you determine whether a full re-evaluation is necessary, or if you can pursue other measures to continue generating revenue from your initial certification or validation.

Security Certification Maintenance:

Each security certification has its own unique requirements for maintenance and renewal. Corsec’s engineering team helps you understand the specific actions you will need to take for each of their products and certifications.

FIPS 140-2
The FIPS 140-2 validation process lists five change scenarios that are used to determine if a product requires revalidation, or if documentation alone can address the changes at issue. Corsec will help determine which scenario mostly closely aligns to the latest version of your product.

Common Criteria
Common Criteria determines re-evaluation through a process called Assurance Continuity (AC). If major changes have occurred in the security environment, evidence needs to be submitted to a laboratory and the product needs to be re-evaluated. If minor changes have occurred, a vendor can perform “Assurance Maintenance,” a report that is attached as an addendum to the original product certification, as long as it is within two years of the initial issuance date.

DoDIN APL
In order to maintain a listing on the DoDIN APL, you must complete a Desktop Review (DR) for each major product version. In such a review, a high-level assessment determines whether the product listing will simply be updated with the new version identifier, whether minimal testing must be performed on the new version prior to receiving an updated listing, or whether the product must undergo a new evaluation in its entirety.

Keep Products Market-Ready

Corsec helps ensure that our partners continue to benefit from the efforts they put in initially to get their products certified or validated. If you have questions on the requirements around your products’ recertification or revalidation, we can help determine the best path forward with little to no disruption of your revenue stream.

The post Security Certification Maintenance appeared first on Corsec Security, Inc.®.

Budgeting for Certifications: Avoid Cost Creep

Jake Nelson — Thu, 30 May 2013 14:55:36 +0000

Budgeting for Common Criteria, FIPS 140-2, and the DoDIN APL can be confusing and overwhelming, but with the right information and resources, you will start to uncover the path thats right for you.

Understanding how to create your certification budget, and taking the necessary steps to follow through with that budget, can reduce your costs and simplify the certification process. We are frequently asked, “How much does certification cost?” This is similar to asking, “How much does a car cost?” The real answer is, “It depends.”

The first step in understanding how to budget for certification is to fully understand the scope of your project. Certification costs vary widely depending upon that scope. If yours is too broad, you may be needlessly spending money on a certification that will not provide a good return on investment. If your scope is too narrow, you may fail to capitalize on the true value of certification. Going through the process to properly identify the scope of your certification is the most important step to forming a meaningful budget for the project. Perhaps the key aspect in identifying the scope is determining the product or system to be evaluated. Once you’ve decided on a boundary or Target of the Evaluation (TOE) you will need to:

Determine the path and options available to you. For FIPS 140-2, you have the option of 4 validation levels. For Common Criteria, you may chose to certify under a Protection Profile (PP) or an Evaluation Assurance Level (EAL). These options can be done in numerous countries around the globe. When listing on the the APL, you need to determine which STIGs apply to your product.
Determine if the product will need to be modified in any way in order to meet requirements and how those modifications fit into the current development plan.

You have to go through the process to understand what you are certifying, and why, in order to understand what the budgetary requirements will be. Once you understand the scope of your certification process, you can begin to plan a reasonable budget. To start, make sure you cover all of the costs in your budget. Next, you must understand which parts of the budget are variable, and which parts are fixed. The following is a list of expenses that every good certification budget should include:

1. Documentation preparation

2. Project management costs

3. Development costs for algorithm testing/test case development/STIG testing/entropy supplement, etc.

4. Development costs for product modifications

5. Laboratory fees

6. Government fees

7. Testing-related travel expenses

8. Cost to distribute product to consultants and testing laboratories

Some of these costs will be “fixed price,” while others are not. Understanding how to assess these accurately is crucial to keeping “cost creep” under control. Properly scoped, this budget can be manageable and predictable. Focusing your budget on only one area of expenses, or failing to properly identify the scope your project, can result in a budget that continually expands throughout your certification effort.

For help getting started with yours, contact Corsec.

The post Budgeting for Certifications: Avoid Cost Creep appeared first on Corsec Security, Inc.®.

reevaluation Archives - Corsec Security, Inc.®

Security Certification Maintenance

Security Certification Maintenance:

Keep Products Market-Ready

Budgeting for Certifications: Avoid Cost Creep